Software distribution fails on client computers, but works on DC

  • Thread starter Thread starter Jo Siffert
  • Start date Start date
J

Jo Siffert

Hi all,

I am having trouble with the software distribution feature of the Active
Directory.

I would like to assign a MSI-Package to all computers in the domain. I
did the following:
- I created a share containing the package. I granted
Read/Exec-Permissions to Everyone and Full COntrol to the
Administrators. I applied the same security settings to the folder. I
also tried granting anonymous users access.

- I registered the package in the default domain policy using
\\server\share\xx.msi as source path. I tried both granting
Authenticated Users or Everyone access to the GPO.

Now when I restart the domain controller, everything works fine - the
software is installed before the logon window apears. However, when I
restart a workstation, a event log entry "Changes to software
installation settings were applied successfully" is created, but the
software is not installed.
Furthermore, in the Add/Remove Programs tool, my package does not
appear. The category however is visible.
On the domain controller, both the category and the package appears.

My guess is that there is something wrong with my security settings. But
I do not know which ACL to adjust other than the ones of the folder, he
share and the GPO. I am also not sure which account the workstation uses
to access the share.

Any suggestions?

Thanks,
Jo
 
Jo,

I would suggest this:

On the folder that holds the application I would grant Domain Admins 'Full
Control' on both the Share and NTFS permissions. You might want to use
Administrators instead of Domain Admins....your call. I would also grant
Domain Computers simply 'Read' on both the Share and NTFS permissions.
This should take care of things as far as that goes. Just a hint: I like
to hide the shared folder when deploying software via GPO so that this
shared folder does not show up when users are browsing the network. You
accomplish this by appending the "$" at the end of the share name. So, if
you have a folder called Office 2003 and you share it as OFF2K03 I would
share it as OFF2K03$ so that it is hidden. Now, if you do a net share it
will still show up....

I am not sure what you mean by 'registered the package'...I can only assume
that you mean that you created the deployment package as part of the Default
Domain Policy. There are a couple of schools of thought about that. One
school of thought suggests that you should leave the Default Domain Policy
as-is and create any additional GPOs as new and separate GPOs. Another
school of thought suggests that you should put all of the 'GPOs' that you
will create to the computer configuration side of things inside of one GPO
and that you should put all of the 'GPOs' that you will create to the user
configuration side of things inside another GPO. Thus, you would have only
four GPOs in your domain: the Default Domain Policy, the Default Domain
Controller Policy and then the Computer Policy and the User Policy. There
is yet another school of thought that suggests that you should create each
GPO individually and then, after time has passed, combine them into one or
two ( whatever the case might be ) larger GPOs. The thought process being
that you can better troubleshoot any problems. After all the kinks have
been worked out you could combine them into one big one. I am a fan of
whatever works.

But I digress.

The software is indeed installed when you reboot a domain controller. But
it does not when you reboot a workstation. It looks like it is and you get
the message that it installed but it is not there. Have you looked on the
workstation in the event logs? What type of errors do you see? There
should be some.

Do you change anything on the security tab of the GPO itself? The security
group 'Authenticated Users' is generally given both the READ and APPLY GROUP
POLICY rights. Do you have this group or did you change it to something
else?

What troubleshooting have you done? Have you used GPOTool or GPResults?

What are the operating systems involved?

HTH,

Cary
 
Hi Cary,

I found out that the reason for the software not beeing installed on the
client machines was the language setting - my DC is German, my clients
are English and the software was German again... when I used the Ignore
Language-setting, everything worked fine.

But thanks a lot for your hints though.

Jo
 
Jo,

Haette ich doch mal wissen muessen!

Did not even think that there were multiple languages going on....

Cary
 
Back
Top